One of my highly secured servers was hacked today. All software was up to date and the server was running:
- The latest centos 5 kernel
- suPHP on PHP 5
- Apache 2.2
- Mod_security with advanced ruleset
- CSF firewall
- Cpanel latest release version
- Mysql Root password and root password very secure and impossible to guess
This is what I know so far. The hacker created an account out of the sky named: "localhost" and escalated the permissions to superuser (UID 0)
New account [localhost] has been created with uid:[0] gid:[0] login:[/home/localhost] shell:[/bin/bash]
Account [localhost] password has changed
Account [root] password has changed
Once on the server he ran:
Thoughts?
- The latest centos 5 kernel
- suPHP on PHP 5
- Apache 2.2
- Mod_security with advanced ruleset
- CSF firewall
- Cpanel latest release version
- Mysql Root password and root password very secure and impossible to guess
This is what I know so far. The hacker created an account out of the sky named: "localhost" and escalated the permissions to superuser (UID 0)
New account [localhost] has been created with uid:[0] gid:[0] login:[/home/localhost] shell:[/bin/bash]
Account [localhost] password has changed
Account [root] password has changed
Once on the server he ran:
PHP:
root 20745 0.0 0.0 10160 2996 ? Ss 10:54 0:00 \_ sshd: [email protected]/0,pts/2,pts/3,pts/4
root 20800 0.0 0.0 5396 1392 pts/0 Ss 10:54 0:00 \_ -bash
root 23079 4.1 0.1 12056 7112 pts/0 D+ 12:26 0:10 | \_ perl mass.pl -d /home -f index. -n /tmp/index.html
root 6630 0.0 0.0 6640 1708 ? Ss 11:16 0:00 \_ /usr/libexec/openssh/sftp-server
root 20460 0.0 0.0 5392 1396 pts/2 Ss 11:37 0:00 \_ -bash
root 23842 0.4 0.0 4592 472 pts/2 D+ 12:27 0:00 | \_ rm -rf /var/cpanel
root 32001 0.0 0.0 5400 1396 pts/3 Ss 11:51 0:00 \_ -bash
root 24116 5.1 0.0 4596 500 pts/3 D+ 12:28 0:07 | \_ rm -rf daily
root 14510 0.0 0.0 6492 1592 ? Ss 12:13 0:00 \_ /usr/libexec/openssh/sftp-server
root 24536 0.0 0.0 5392 1392 pts/4 Ss 12:29 0:00 \_ -bash
Thoughts?